Issue with _delete_by_query

afassl · April 5, 2019, 1:37pm

Hi,
we've encountered a kind of strange issue and solved it by a workaround, but not sure, if the issue is caused by a bug or the request string.
We've had to delete certain entries from an index, according to the documentation the query has to look like this:

curl -XPOST "http://kibana.company.com:9200/_delete_by_query" -H 'Content-Type: application/json' -d'
{
"query": {
"bool": {
"must": [
{
"match": {
"_index": {
"query": “xxx-6.5.4-error-*"
}
}
},
{
"match": {
"context.service.name": {
"query": “xxx-production"
}
}
},
{
"range": {
"@timestamp": {
"lt": "2019-04-05",
"gte": "2019-04-04",
"format": "yyyy-MM-dd||yyyy-MM-dd||yyyy||yyyy-MM"
}
}
}
]
}
}
}
'
But this call throws an error:
{"error":"Incorrect HTTP method for uri [/_delete_by_query] and method [POST], allowed: [HEAD, PUT, GET, DELETE]","status":405}

But the corresponding search query is fine:
curl -XGET "http://kibana.company.com:9200/_search" -H 'Content-Type: application/json' -d'
{
"query": {
"bool": {
"must": [
{
"match": {
"_index": {
"query": “xxx-6.5.4-error-*"
}
}
},
{
"match": {
"context.service.name": {
"query": “xxx-production"
}
}
},
{
"range": {
"@timestamp": {
"lt": "2019-12-31",
"gte": "2019-01-01",
"format": "yyyy-MM-dd||yyyy-MM-dd||yyyy||yyyy-MM"
}
}
}
]
}
}
}
'
and delivered as expected 2800 entries.

we've only been able to get the delete done, by adding the index into the the URI
curl -XPOST ’http://kibana.company.com:9200/xxx-6.5.4-error-date/_delete_by_query
and to execute it per day.

We are currently running elastic 6.3. But I'm assuming this is not related to the version.

Any idea?

Best regards

BenTrent · April 5, 2019, 2:00pm

Heya @afassl!

_delete_by_query requires the index patterns to be included in the url.
curl -XPOST "http://kibana.company.com:9200/my-index/_delete_by_query" should work.

elasticforme · April 5, 2019, 2:07pm

I just tested this and it worked. I had 73,000 document count which got deleted.

curl -XPOST "http://elkm01:9200/metricbeat_sysstat_2019/_delete_by_query?conflicts=proceed" -H 'Content-Type: application/json' -d'
     {
       "query": {
         "range": {
           "@timestamp": {
             "gte": "01-01-2019",
             "lte": "02-01-2019",
             "format": "MM-dd-yyyy||yyyy-MM-dd||yyyy||yyyy-MM"
           }
         }
       }
     }'

afassl · April 5, 2019, 3:43pm

Thanks a lot - so - a feature - not a bug.

Last question - possible to use a wildcard in the index? Not sure if this will be parsed, as we've already removed the data - can't test that

But again - thanks a lot

Best regards
Andreas

elasticforme · April 8, 2019, 2:47pm

yes you can use wildcard in query and delete the data

system · May 6, 2019, 2:47pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Can't get delete by query to actually delete Elasticsearch	20	3933	December 5, 2019
Inconsistent results when searching/deleting documents containing quotes Kibana eql-elastic-query-language	9	379	June 27, 2022
Delete by Query - Based on time Kibana	5	2755	February 27, 2018
Version_conflict when trying to delete documents using _delete_by_query API Elasticsearch	1	531	April 14, 2023
Delete By Query Elasticsearch	3	492	July 6, 2017

Issue with _delete_by_query

Related Topics